Reposted by Ionel
Blog Post: srivatsp.com/ostinat...
2/2
2/2
veth on MacOS
How to create and use Linux virtual-ethernet (veth) like interfaces on MacOS
srivatsp.com
December 11, 2025 at 12:28 PM
Blog Post: srivatsp.com/ostinat...
2/2
2/2
Reposted by Ionel
Blog Post:
Python API Easy Start
An easy way to get started with Ostinato Python API by configuring in GUI and doing operations with Python script
ostinato.org
December 2, 2025 at 10:26 AM
Blog Post:
Reposted by Ionel
NetworkMiner 3.1 Released!
🔑 More usernames, passwords and hostnames from #PCAP
💻 Improved user interface
👾 Better details from malware C2 traffic
netresec.com?b=25C4039
🔑 More usernames, passwords and hostnames from #PCAP
💻 Improved user interface
👾 Better details from malware C2 traffic
netresec.com?b=25C4039
NetworkMiner 3.1 Released
This NetworkMiner release brings improved extraction of artifacts like usernames, passwords and hostnames from network traffic. We have also made some updates to the user interface and continued our e...
netresec.com
December 1, 2025 at 9:12 AM
NetworkMiner 3.1 Released!
🔑 More usernames, passwords and hostnames from #PCAP
💻 Improved user interface
👾 Better details from malware C2 traffic
netresec.com?b=25C4039
🔑 More usernames, passwords and hostnames from #PCAP
💻 Improved user interface
👾 Better details from malware C2 traffic
netresec.com?b=25C4039
Reposted by Ionel
Studying for a CCNA/CCIE? Or some other networking cert? Ostinato for Labbing (GNS3, EVE-NG, CML and CLAB) has a Black Friday Sale! Level up your Labs TODAY! #LabEveryday
November 28, 2025 at 9:44 AM
Studying for a CCNA/CCIE? Or some other networking cert? Ostinato for Labbing (GNS3, EVE-NG, CML and CLAB) has a Black Friday Sale! Level up your Labs TODAY! #LabEveryday
Reposted by Ionel
Reposted by Ionel
The Black Friday Sale is now LIVE!
November 20, 2025 at 1:30 PM
The Black Friday Sale is now LIVE!
Reposted by Ionel
I’m looking for a junior dev (or intern) to work with me on Ostinato - my network traffic generator / packet crafter product.
C++, Qt, Python, networking - lots of hands-on learning.
Please share if you know someone who might be a good fit🙏
C++, Qt, Python, networking - lots of hands-on learning.
Please share if you know someone who might be a good fit🙏
November 12, 2025 at 12:40 PM
I’m looking for a junior dev (or intern) to work with me on Ostinato - my network traffic generator / packet crafter product.
C++, Qt, Python, networking - lots of hands-on learning.
Please share if you know someone who might be a good fit🙏
C++, Qt, Python, networking - lots of hands-on learning.
Please share if you know someone who might be a good fit🙏
Reposted by Ionel
Call for Papers: SharkFest’26 US
Nashville, TN | July 18–23, 2026
Share your packet analysis, troubleshooting, or Wireshark insights with the community! Submit your talk today:
sharkfest.wireshark.org/sfus/
#SharkFest #Wireshark #PacketAnalysis #NetworkEngineering #NashvilleTech #sf26us
Nashville, TN | July 18–23, 2026
Share your packet analysis, troubleshooting, or Wireshark insights with the community! Submit your talk today:
sharkfest.wireshark.org/sfus/
#SharkFest #Wireshark #PacketAnalysis #NetworkEngineering #NashvilleTech #sf26us
November 11, 2025 at 10:22 PM
Call for Papers: SharkFest’26 US
Nashville, TN | July 18–23, 2026
Share your packet analysis, troubleshooting, or Wireshark insights with the community! Submit your talk today:
sharkfest.wireshark.org/sfus/
#SharkFest #Wireshark #PacketAnalysis #NetworkEngineering #NashvilleTech #sf26us
Nashville, TN | July 18–23, 2026
Share your packet analysis, troubleshooting, or Wireshark insights with the community! Submit your talk today:
sharkfest.wireshark.org/sfus/
#SharkFest #Wireshark #PacketAnalysis #NetworkEngineering #NashvilleTech #sf26us
Reposted by Ionel
Monitoring for too many old indicators not only costs money, it can even inhibit detection of real intrusions.
📆 Include "last seen" date when publishing IOCs
❌ Prune old IOCs
📜 Prioritize long lived IOCs over short lived ones
netresec.com?b=25Be9dd
📆 Include "last seen" date when publishing IOCs
❌ Prune old IOCs
📜 Prioritize long lived IOCs over short lived ones
netresec.com?b=25Be9dd
Optimizing IOC Retention Time
Are you importing indicators of compromise (IOC) in the form of domain names and IP addresses into your SIEM, NDR or IDS? If so, have you considered for how long you should keep looking for those IOCs...
netresec.com
November 6, 2025 at 1:08 PM
Monitoring for too many old indicators not only costs money, it can even inhibit detection of real intrusions.
📆 Include "last seen" date when publishing IOCs
❌ Prune old IOCs
📜 Prioritize long lived IOCs over short lived ones
netresec.com?b=25Be9dd
📆 Include "last seen" date when publishing IOCs
❌ Prune old IOCs
📜 Prioritize long lived IOCs over short lived ones
netresec.com?b=25Be9dd
Reposted by Ionel
Some recent job postings requiring Ostinato skills!
November 5, 2025 at 9:51 AM
Some recent job postings requiring Ostinato skills!
Reposted by Ionel
Want to generate some synthetic SRv6 traffic?
October 29, 2025 at 4:40 PM
Want to generate some synthetic SRv6 traffic?
Reposted by Ionel
Reposted by Ionel
I am awarded a gold medal by the Royal Swedish Academy of Sciences for my work on #curl
daniel.haxx.se/blog/2025/10...
daniel.haxx.se/blog/2025/10...
A royal gold medal
The Royal Swedish Academy of Sciences (IVA, the same org that selects winners for three of the Nobel prize categories) awards me a gold medal 2025 for my work on curl. This academy, established 1919 b...
daniel.haxx.se
October 21, 2025 at 6:36 AM
I am awarded a gold medal by the Royal Swedish Academy of Sciences for my work on #curl
daniel.haxx.se/blog/2025/10...
daniel.haxx.se/blog/2025/10...
Reposted by Ionel
After years of steady evolution, Ostinato 2.0 is finally here.
A big milestone for the project - modernized, faster, and built for what’s next.
A big milestone for the project - modernized, faster, and built for what’s next.
October 16, 2025 at 2:47 PM
After years of steady evolution, Ostinato 2.0 is finally here.
A big milestone for the project - modernized, faster, and built for what’s next.
A big milestone for the project - modernized, faster, and built for what’s next.
Reposted by Ionel
Gh0stKCP is a C2 transport protocol based on KCP. It has been used by malware families such as #PseudoManuscrypt and #ValleyRAT.
netresec.com?b=259a5af
netresec.com?b=259a5af
Gh0stKCP Protocol
Gh0stKCP is a command-and-control (C2) transport protocol based on KCP. It has been used by malware families such as PseudoManuscrypt and ValleyRAT/Winos4.0. @Jane_0sint recently tweeted about ValleyR...
netresec.com
September 24, 2025 at 12:22 PM
Gh0stKCP is a C2 transport protocol based on KCP. It has been used by malware families such as #PseudoManuscrypt and #ValleyRAT.
netresec.com?b=259a5af
netresec.com?b=259a5af
Reposted by Ionel
Pre-Conference Spotlight
Join Eddi Blenkers at SharkFest’25 Europe for a hands-on SMB Masterclass!
Master SMB2/SMB3 traffic analysis & troubleshoot real-world file share issues.
- Warsaw, Nov 4
- sharkfest.wireshark.org/sfeu
#sf25eu #Wireshark #SMB #Networking #SharkFest
Join Eddi Blenkers at SharkFest’25 Europe for a hands-on SMB Masterclass!
Master SMB2/SMB3 traffic analysis & troubleshoot real-world file share issues.
- Warsaw, Nov 4
- sharkfest.wireshark.org/sfeu
#sf25eu #Wireshark #SMB #Networking #SharkFest
September 29, 2025 at 4:47 PM
Pre-Conference Spotlight
Join Eddi Blenkers at SharkFest’25 Europe for a hands-on SMB Masterclass!
Master SMB2/SMB3 traffic analysis & troubleshoot real-world file share issues.
- Warsaw, Nov 4
- sharkfest.wireshark.org/sfeu
#sf25eu #Wireshark #SMB #Networking #SharkFest
Join Eddi Blenkers at SharkFest’25 Europe for a hands-on SMB Masterclass!
Master SMB2/SMB3 traffic analysis & troubleshoot real-world file share issues.
- Warsaw, Nov 4
- sharkfest.wireshark.org/sfeu
#sf25eu #Wireshark #SMB #Networking #SharkFest
Reposted by Ionel
Video: Detecting #XenoRAT C2 connections using example traffic from known malware sample.
🔥 e0b465d3bd1ec5e95aee016951d55640
🔥 5ab23ac79ede02166d6f5013d89738f9
📡 Huy1612-24727.portmap[.]io:24727
📡 193.161.193.99:24727
📡 147.185.221.30:54661
netresec.com?b=258f641
🔥 e0b465d3bd1ec5e95aee016951d55640
🔥 5ab23ac79ede02166d6f5013d89738f9
📡 Huy1612-24727.portmap[.]io:24727
📡 193.161.193.99:24727
📡 147.185.221.30:54661
netresec.com?b=258f641
Define Protocol from Traffic (XenoRAT)
This video shows how to define a protocol in CapLoader just by providing examples of what the protocol looks like. CapLoader can then identify that protocol in other traffic, regardless of IP address ...
netresec.com
August 21, 2025 at 1:22 PM
Video: Detecting #XenoRAT C2 connections using example traffic from known malware sample.
🔥 e0b465d3bd1ec5e95aee016951d55640
🔥 5ab23ac79ede02166d6f5013d89738f9
📡 Huy1612-24727.portmap[.]io:24727
📡 193.161.193.99:24727
📡 147.185.221.30:54661
netresec.com?b=258f641
🔥 e0b465d3bd1ec5e95aee016951d55640
🔥 5ab23ac79ede02166d6f5013d89738f9
📡 Huy1612-24727.portmap[.]io:24727
📡 193.161.193.99:24727
📡 147.185.221.30:54661
netresec.com?b=258f641
Reposted by Ionel
How to identify #PureRAT (aka #ResolverRAT):
⛳️ C2 port is often 56001, 56002 or 56003
🔢 Bot sends 04 00 00 00, then TLS handshake
🔑 Client and server run TLS 1.0
🖊️ X.509 cert is self signed
📅 X.509 cert expires 9999-12-31
netresec.com?b=2589522
⛳️ C2 port is often 56001, 56002 or 56003
🔢 Bot sends 04 00 00 00, then TLS handshake
🔑 Client and server run TLS 1.0
🖊️ X.509 cert is self signed
📅 X.509 cert expires 9999-12-31
netresec.com?b=2589522
PureRAT = ResolverRAT = PureHVNC
PureRAT is a Remote Access Trojan, which can be used by an attacker to remotely control someone else's PC. PureRAT provides the following features to an attacker: See the victims user interfaceInt...
netresec.com
August 12, 2025 at 6:20 PM
How to identify #PureRAT (aka #ResolverRAT):
⛳️ C2 port is often 56001, 56002 or 56003
🔢 Bot sends 04 00 00 00, then TLS handshake
🔑 Client and server run TLS 1.0
🖊️ X.509 cert is self signed
📅 X.509 cert expires 9999-12-31
netresec.com?b=2589522
⛳️ C2 port is often 56001, 56002 or 56003
🔢 Bot sends 04 00 00 00, then TLS handshake
🔑 Client and server run TLS 1.0
🖊️ X.509 cert is self signed
📅 X.509 cert expires 9999-12-31
netresec.com?b=2589522
Reposted by Ionel
CapLoader 2.0.1 Released
⚠️ IP lookup alert
🔎 Better protocol identification
🐛 Bug fixes
netresec.com?b=2571527
⚠️ IP lookup alert
🔎 Better protocol identification
🐛 Bug fixes
netresec.com?b=2571527
CapLoader 2.0.1 Released
This update resolves several minor bugs, but also brings better protocol identification and a new IP lookup alert to CapLoader. Alert for IP lookup using ip-api.com in PCAP from tria.ge Transcript of ...
netresec.com
July 1, 2025 at 1:58 PM
CapLoader 2.0.1 Released
⚠️ IP lookup alert
🔎 Better protocol identification
🐛 Bug fixes
netresec.com?b=2571527
⚠️ IP lookup alert
🔎 Better protocol identification
🐛 Bug fixes
netresec.com?b=2571527
Reposted by Ionel
Reposted by Ionel
CapLoader 2.0 released today!
🔎 Identifies over 250 protocols in #PCAP
🎨 Define protocols from example traffic
🇶 Extracts JA3, JA4 and SNI from QUIC
💻 10x faster user interface
netresec.com?b=256dbbc
🔎 Identifies over 250 protocols in #PCAP
🎨 Define protocols from example traffic
🇶 Extracts JA3, JA4 and SNI from QUIC
💻 10x faster user interface
netresec.com?b=256dbbc
CapLoader 2.0 Released
I am thrilled to announce the release of CapLoader 2.0 today! This major update includes a lot of new features, such as a QUIC parser, alerts for threat hunting and a feature that allow users to defin...
netresec.com
June 2, 2025 at 3:56 PM
CapLoader 2.0 released today!
🔎 Identifies over 250 protocols in #PCAP
🎨 Define protocols from example traffic
🇶 Extracts JA3, JA4 and SNI from QUIC
💻 10x faster user interface
netresec.com?b=256dbbc
🔎 Identifies over 250 protocols in #PCAP
🎨 Define protocols from example traffic
🇶 Extracts JA3, JA4 and SNI from QUIC
💻 10x faster user interface
netresec.com?b=256dbbc
Reposted by Ionel
The new Wireshark certification is finally here! A lot of work went into this, making sure it's a certification that proves skills as a network analyst and not just knowledge of the UI.
The Wireshark Foundation proudly announces the official Wireshark Certified Analyst (WCA) certification! The WCA is designed so you stand out as a technical engineering powerhouse in the crowded field of IT Professionals.
Learn more: www.wireshark.org/blog/2025-06...
#Wireshark #WCA
Learn more: www.wireshark.org/blog/2025-06...
#Wireshark #WCA
June 2, 2025 at 6:57 PM
The new Wireshark certification is finally here! A lot of work went into this, making sure it's a certification that proves skills as a network analyst and not just knowledge of the UI.
Reposted by Ionel
Thank you CISA, @ncsc.gov.uk, @bsi.bund.de et al. for publishing the advisory on Russian GRU Targeting Western Logistics Entities and Technology Companies. This list of mocking services is great for threat hunting!
www.cisa.gov/news-events/...
www.cisa.gov/news-events/...
![Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:2qrgzoyfwkguclususquvdz2/bafkreidsg3ldjaxglxhetka5xmbm2gc7xlthvuyoek2vmeo6ny5tsdi3di@jpeg)
May 22, 2025 at 5:16 PM
Thank you CISA, @ncsc.gov.uk, @bsi.bund.de et al. for publishing the advisory on Russian GRU Targeting Western Logistics Entities and Technology Companies. This list of mocking services is great for threat hunting!
www.cisa.gov/news-events/...
www.cisa.gov/news-events/...
Reposted by Ionel
Comparison of tools that extract files from #PCAP
📖 #Chaosreader
⛏️ #NetworkMiner
🐿️ #Suricata
🌊 #tcpflow
🦈 #Wireshark
👁️ #Zeek
netresec.com?b=255329f
📖 #Chaosreader
⛏️ #NetworkMiner
🐿️ #Suricata
🌊 #tcpflow
🦈 #Wireshark
👁️ #Zeek
netresec.com?b=255329f
Comparison of tools that extract files from PCAP
One of the premier features in NetworkMiner is the ability to extract files from captured network traffic in PCAP files. NetworkMiner reassembles the file contents by parsing protocols that are used t...
netresec.com
May 5, 2025 at 4:16 PM
Comparison of tools that extract files from #PCAP
📖 #Chaosreader
⛏️ #NetworkMiner
🐿️ #Suricata
🌊 #tcpflow
🦈 #Wireshark
👁️ #Zeek
netresec.com?b=255329f
📖 #Chaosreader
⛏️ #NetworkMiner
🐿️ #Suricata
🌊 #tcpflow
🦈 #Wireshark
👁️ #Zeek
netresec.com?b=255329f
Reposted by Ionel
Did you know that NetworkMiner parses the #njRAT protocol? The following artefacts are extracted from njRAT C2 traffic:
🖥️ Screenshots of victim computer
📁 Transferred files
👾 Commands from C2 server
🤖 Replies from bot
🔑 Stolen credentials/passwords
⌨️ Keylog data
netresec.com?b=2541a39
🖥️ Screenshots of victim computer
📁 Transferred files
👾 Commands from C2 server
🤖 Replies from bot
🔑 Stolen credentials/passwords
⌨️ Keylog data
netresec.com?b=2541a39
Decoding njRAT traffic with NetworkMiner
I investigate network traffic from a Triage sandbox execution of njRAT in this video. The analysis is performed using NetworkMiner in Linux (REMnux to be specific). About njRAT / Bladabindi njRAT is a...
netresec.com
April 28, 2025 at 6:28 AM
Did you know that NetworkMiner parses the #njRAT protocol? The following artefacts are extracted from njRAT C2 traffic:
🖥️ Screenshots of victim computer
📁 Transferred files
👾 Commands from C2 server
🤖 Replies from bot
🔑 Stolen credentials/passwords
⌨️ Keylog data
netresec.com?b=2541a39
🖥️ Screenshots of victim computer
📁 Transferred files
👾 Commands from C2 server
🤖 Replies from bot
🔑 Stolen credentials/passwords
⌨️ Keylog data
netresec.com?b=2541a39